Master Circular on Know Your Client (KYC) norms for the securities market

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... lars/directions with the provisions of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 1 and the Securities and Exchange Board of India [KYC (Know Your Client) Registration Agency] Regulations, 2011 2 . The provisions of this Master Circular shall come into force from the date of its issue. 3. Any modifications/updation in existing KYC records, shall be effected in line with the provisions of this Circular by December 31, 2023. 4. On and from the date of issue of this Circular, all circulars for the purpose of KYC as listed in Appendix shall stand rescinded/modified as indicated therein. 5. Notwithstanding such rescission, a) Anything done or any action taken or purported to have been done or taken under the rescinded circulars, prior to such rescission, shall be deemed to have been done or taken under the corresponding provisions of this Master Circular; b) Any application made to the Board under the rescinded circulars, prior to such rescission, and pending before it shall be deemed to have been made under the corresponding provisions of this Master Circular; c) The previous operation of the rescinded circulars or anything duly done or suffered thereunder, .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... he same meaning as assigned to it under Rule 2 (1) (b) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. h. Designated Director shall have the same meaning as assigned to it under Rule 2 (1) (ba) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. i. Digital KYC shall have the same meaning as assigned to it under Rule 2 (1) (bba) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. j. Digital Signature shall have the same meaning as assigned to it under clause (p) of subsection (1) of section (2) of the Information Technology Act, 2000 (21 of 2000). k. e-KYC authentication facility shall have the same meaning as assigned to it under clause (j) of sub section (1) of section (2) of Aadhaar (Authentication and Offline Verification) Regulations, 2021. l. Electronic Signature shall have the same meaning assigned to it under clause (ta) of subsection (1) of section (2) of the Information Technology Act, 2000 (21 of 2000). m. Equivalent e-document shall have the same meaning as assigned to it under Rule 2 (1) (cb) of Prevention of Money Laundering (Maintenance of Records) Rules, 2005. n. e-Sign is an online electroni .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ed intermediaries shall use the KYC templates provided by Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI) for individuals and for legal entities for capturing the KYC information. The CKYCR templates - Individual and Legal Entity provided by CERSAI is available at https://www.ckycindia.in/ckyc/?r=download. 6. Part II of the form shall obtain the additional information specific to the area of activity of the intermediary, as considered appropriate by them. The instant Master Circular deals with the provisions of Part I -KYC form. Requirement of Permanent Account Number (PAN) 7. In order to strengthen the KYC norms and identify every participant in the securities market with their respective PAN thereby ensuring sound audit trail of all the transactions, PAN shall be the unique identification number for all participants transacting in the securities market, irrespective of the amount of transaction. 8. The registered intermediaries shall verify the PAN of their clients online at the Income Tax website without insisting on the original or copy of PAN card. 9. As per the provisions of Income-tax Act, 1961 (Income Tax Act), the PAN allotte .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... otified by the Central Government in consultation with the Regulator. b. Further, in terms of proviso to the above Rule, where simplified measures are applied for verifying the identity of the clients, the following documents shall also be deemed to be officially valid document: i. Identity card/ document with applicant s photo, issued by the Central/State Government Departments, Statutory/Regulatory Authorities, Public Sector Undertakings, Scheduled Commercial Banks and Public Financial Institutions; ii. Letter issued by a gazetted officer, with a duly attested photograph of the person. 15. The registered intermediaries shall not store/ save the Aadhaar number of client in their system. Further, in terms of PML Rule 9(16), every registered intermediary shall, where the client submits his Aadhaar number, ensure that such client redacts or blacks out his Aadhaar number by appropriate means where the authentication of Aadhaar number is not required under sub rule (15) of PML Rule 9. Proof of Address (PoA) 6 16. At the time of commencement of an account-based relationship, the registered intermediaries shall along with the PoI, obtain documents as proof of address. 17. The following d .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... f Indian Origin (PIO) Card/Overseas Citizenship of India (OCI) Card and overseas address proof is mandatory. 21. In case the officially valid document presented by a foreign national does not contain the details of address, the documents issued by the Government departments of foreign jurisdictions and letter issued by the Foreign Embassy or Mission in India shall be accepted as proof of address. 22. If any proof of address is in a foreign language, then translation into English shall be required. 23. If correspondence and permanent address is different, then proof for both shall be submitted. Acceptance of third party address as correspondence address 24. A client can authorize to capture address of a third party as a correspondence address, provided that all prescribed Know Your Client norms are also fulfilled for the third party. The intermediary shall obtain proof of identity and proof of address for the third party. The intermediary shall also ensure that client due diligence norms as specified in Rule 9 of PML Rules are complied with in respect of the third party. 25. Registered intermediaries at the time of commencement of an account- based relationship shall determine wheth .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... for investment in securities market. d. Power of Attorney granted to its managers, officers or employees, as the case may be, to transact on its behalf. e. Authorised signatories list with specimen signatures. f. Copy of the balance sheet for the last financial year (initially for the last two financial years and subsequently for every last financial year). g. Latest share holding pattern including list of all those holding control, either directly or indirectly, in the company in terms of SEBI takeover Regulations, duly certified by the company secretary/whole time director/ MD (to be submitted every year). h. Photograph, POI, POA, PAN and DIN numbers of whole time directors/two directors in charge of day to day operations. i. Photograph, POI, POA, PAN of individual promoters holding control - either directly or indirectly. ii. Partnership firm: a. Certificate of registration (for registered partnership firms only). b. Copy of partnership deed. c. Copy of the balance sheet for the last financial year (initially for the last two financial years and subsequently for every last financial year). d. Authorised signatories list with specimen signatures. e. Photograph, POI, POA, PAN of P .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... consent of the client before undertaking online KYC. 36. The PAN, name, photograph, address, mobile number and email ID of the client shall be captured digitally and officially valid document shall be provided as a photo / scan of the original under electronic/digital signature, including Aadhaar e-Sign and the same shall be verified. 37. Any officially valid document other than Aadhaar shall be submitted through Digiocker / using electronic/digital signature, including Aadhaar e- Sign. 38. The mobile number of client accepted as part of KYC should preferably be the one seeded with Aadhaar. 39. Mobile and email shall be verified through One Time Password (OTP) or other verifiable mechanism. 40. Aadhaar shall be verified through UIDAI's authentication/ verification mechanism. Further, in terms of PML Rule 9(16), every intermediary shall, where the client submits his Aadhaar number, ensure that such client redacts or blacksout his Aadhaar number through appropriate means where the authentication of Aadhaar number is not required under sub-rule (15) under PML Rule. 41. e-KYC through Aadhaar Authentication service of UIDAI (e-KYC) or offline verification through Aadhaar QR Code/ X .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ginal officially valid document, through the electronic/digital signature including Aadhaar e-Sign, or; ii. As digitally signed document of the officially valid document, issued through the DigiLocker by the issuing authority. Features for online KYC App of the Intermediary 49. SEBI registered intermediary can implement its own App for undertaking online KYC of clients. 50. The App shall facilitate taking photograph, scanning, acceptance of officially valid document through Digilocker, video capturing in live environment and usage of the App only by authorized person of the intermediary. 51. The App shall also have features of random action initiation for client response to establish that the interactions are not pre-recorded along with time stamping and geo-location tagging to ensure the requirement like physical location being in India etc are also implemented. 52. Registered intermediaries shall ensure that the process is a seamless, real-time, secured, end-to-end encrypted audio-visual interaction with the client and the quality of the communication is adequate to allow identification of the client beyond doubt. Registered intermediaries shall carry out the liveliness check in .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... d by an OTP. e) The intermediary shall ensure that photograph of the client downloaded through the Aadhaar authentication / verification process matches with the investor in the VIPV. f) The VIPV shall be digitally saved in a safe, secure and tamper-proof, easily retrievable manner and shall bear date and time stamping. g) The intermediary may have additional safety and security features other than as prescribed above. 61. IPV shall not be required in the cases where: a) the KYC of the client has been completed using the Aadhaar authentication/ verification of UIDAI. b) the KYC form has been submitted online, documents have been provided through Digilocker or any other source which could be verified online. Adaptation of Aadhaar based e-KYC process and e-KYC Authentication facility for Resident Investors under section 11A of the Prevention of Money Laundering Act, 2002: KUA and Sub KUA mechanism 62. Registered intermediaries for reasons such as online on-boarding of clients, client convenience, increased efficiency and reduced time for client onboarding would prefer to use Aadhaar based e-KYC facility to complete KYC of the client. 63. The e-KYC service launched by UIDAI shall be a .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... I after scrutiny of the application forms of KUAs shall forward the applications along with its recommendation to UIDAI. 71. For appointment of SEBI registered intermediary as Sub-KUAs, KUA shall send list of proposed Sub-KUAs to SEBI and SEBI would forward the list of recommended Sub-KUAs to UIDAI for onboarding. 72. An agreement shall be signed between KUA and Sub-KUA, as prescribed by UIDAI. Sub-KUA shall also comply with the Aadhaar Act, 2016, regulations, circulars, guidelines etc. issued by UIDAI from time to time. 73. Each sub-KUA shall be assigned a separate Sub-KUA code by UIDAI. 74. The KUA/sub-KUA shall be guided by the above for use of Aadhaar authentication services of UIDAI for e-KYC. 75. The KUAs and sub KUAs shall adopt the following process for Aadhaar e- KYC of investors (resident) in the securities market: A. Online Portal based Investor (Resident) e-KYC Process (Aadhaar as an officially valid document) i. Client visits portal of KUA or the SEBI registered intermediary which is also a Sub-KUA to open account/invest through intermediary. ii. For Aadhaar e-KYC, client is redirected to KUA portal. Client enters the Aadhaar Number or Virtual Id and provides consent o .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... Act/Regulations and circulars issued by UIDAI time to time. iv. KUA/Sub-KUA shall not store Aadhaar number in their database under any circumstances. It shall be ensured that Aadhaar number is captured only using UIDAI s Aadhaar Number Capture Services (ANCS). v. The KUA shall maintain auditable logs of all such transactions where e- KYC data has been shared with sub-KUA, for a period specified by the Authority. vi. It shall be ensured that full Aadhaar number is not stored and displayed anywhere in the system and wherever required only last 4 digits of Aadhaar number may be displayed. vii. As per Regulation 14(i) of the Aadhaar (Authentication) Regulation, 2016, requesting entity shall implement exception-handling mechanisms and backup identity authentication mechanism to ensure seamless provision of authentication services to Aadhaar number holders. viii. UIDAI may conduct audit of all KUAs and Sub KUAs as per the Aadhaar Act, Aadhaar Regulations, AUA/KUA Agreement, Guidelines, circulars etc. issued by UIDAI from time to time. ix. Monitoring of irregular transactions - KUAs shall develop appropriate monitoring mechanism to record irregular transactions and their reporting to UID .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... (ii) telephonic conversation; (iii) visits, etc. c. The registered intermediaries shall forward the KYC completion intimation letter through registered post/ speed post or courier, to the address of the client in cases where the client has given address other than as given in the officially valid document. In such cases of return of the intimation letter for wrong / incorrect address, addressee not available etc, no transactions shall be allowed in such account and intimation shall also sent to the Stock Exchange and Depository. d. The registered intermediaries and KRAs shall flag such accounts in their records/systems Confidentiality of client information 81. Registered intermediaries shall keep confidential every information maintained, furnished or verified, save as otherwise provided under any law for the time being in force. Section 2: Know Your Client (KYC) Registration Agency 82. A mechanism of Know Your Client Registration Agency (KRAs) in the securities market has been developed for centralization of the KYC records. The KRAs shall be administered under SEBI KYC Registration Agency (KRA) Regulations, 2011. Guidelines for Intermediaries: 83. The client shall be allowed to .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... eral agencies exempt from paying taxes / filing tax returns in India, etc. Rationalisation of Risk Management Framework at KRAs 96. As a part of risk management framework, the KRAs shall verify the following attributes of records of all clients within 2 days of receipt of KYC records: a. PAN (including PAN Aadhaar linkage, as referred to in rule 114AAA of the Income-tax Rules, 1962) b. Name c. Address 97. Additionally, the KRAs shall verify the client s mobile number and email id. 98. In case of PAN exempt records, the other attributes i.e. name, address, mobile number and email id shall be verified by the KRAs. 99. Clients in whose case, attributes of records as mentioned in para 96/97 above cannot be verified, shall not be allowed to transact further in securities market until the attributes are verified. 100. The records of those clients in respect of which all attributes mentioned in para 96/97 above are verified by KRAs with official databases (such as Income Tax Department database on PAN, Aadhaar XML/Digilocker/ M- Aadhaar) shall be considered as Validated Records. 101. The validated records shall be allowed portability i.e. the client need not undergo the KYC process again .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... continuity management should aim for timely recovery of operations and fulfilment of its obligation in the event of cyber-attack. 110. Since KRAs perform important function of maintaining KYC records of the clients in the securities market, the KRAs shall have robust Cyber Security and Cyber Resilience framework in order to provide essential facilities and perform systemically critical functions relating to securities market. 111. The framework placed at Annexure A shall be complied by the KRAs with regard to Cyber Security and Cyber Resilience. 112. The KRAs shall conduct comprehensive cyber audit at least twice in a financial year. All KRAs shall submit a declaration from the MD/ CEO certifying compliance by the KRAs with all SEBI Circulars and advisories related to Cyber security from time to time, along with the cyber audit report Central KYC Records Registry (CKYCR) 113. Government of India has authorized the Central Registry of Securitization Asset Reconstruction and Security interest of India (CERSAI), set up under sub-section (1) of Section 20 of Securitization and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002, to act as, and to perform t .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ecurity and Cyber Resilience policy document encompassing the framework mentioned hereunder. The policy document shall be approved by the Board of KRAs, and in case of deviations from the suggested framework, reasons for such deviations shall also be provided in the policy document. The policy document shall be reviewed by the Board of KRAs at least annually with the view to strengthen and improve its Cyber Security and Cyber Resilience framework. 3. The Cyber Security and Cyber Resilience policy shall include the following process to identify, assess, and manage cyber security risk associated with processes, information, networks and systems 3.1. Identify critical IT assets and risks associated with such assets, 3.2. Protect assets by deploying suitable controls, tools and measures, 3.3. Detect incidents, anomalies and attacks through appropriate monitoring tools/processes, 3.4. Respond by taking immediate steps after identification of the incident, anomaly or attack, 3.5. Recover from incident through incident management, disaster recovery and business continuity framework. 4. The Cyber security policy shall encompass the principles prescribed by National Critical Information Inf .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance shall also be classified as critical system. The Board of the KRAs shall approve the list of critical systems. To this end, KRAs shall maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows. 12. KRAs shall accordingly identify cyber risks (threats and vulnerabilities) that it may face, along with the likelihood of such threats and impact on the business and thereby, deploy controls commensurate to the criticality. 13. KRAs shall also encourage its third-party providers, if any, to have similar standards of Information Security. Protection Access Controls 14. No person by virtue of rank or position shall have any intrinsic right to access confidential data, applications, system resources or facilities. 15. Any access to KRA's systems, applications, networks, databases, etc., shall be for a defined purpose and for a defined period. KRAs shall grant access to .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... all times by authorised employees. 25. Physical access to the critical systems shall be revoked immediately if the same is no longer required. 26. KRAs shall ensure that the perimeter of the critical equipment room are physically secured and monitored by employing physical, human and procedural controls such as the use of security guards, CCTVs, card access systems, mantraps, bollards, etc. where appropriate. Network Security Management 27. KRAs shall establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and enterprise mobile devices within the IT environment. The KRAs shall conduct regular enforcement checks to ensure that the baseline standards are applied uniformly. 28. KRAs shall install network security devices, such as firewalls as well as intrusion detection and prevention systems, to protect their IT infrastructure from security exposures originating from internal and external sources. 29. Anti-virus software shall be installed on servers and other computer systems. Updation of anti-virus definition files and automatic anti-virus scanning shall be done on a regular basis. Security of Da .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... on Testing (VAPT) 40. KRAs shall carry out periodic vulnerability assessment and penetration tests(VAPT) which inter-alia include critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as KRAs etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks. KRAs shall conduct VAPT at least once in a financial year. However, for the KRAs, whose systems have been identified as protected system by NCIIPC under the Information Technology (IT) Act, 2000, VAPT shall be conducted at least twice in a financial year. Further, all KRAs are required to engage only CERT-In empanelled organizations for conducting VAPT. The final report on said VAPT shall be submitted to SEBI after approval from Technology Committee of respective KRAs, within one month of completion of VAPT activity. 41. Any gaps/vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within 3 m .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... covery plan. Sharing of information 51. All Cyber-attacks, threats, cyber-incidents and breaches experienced by KRAs shall be reported to SEBI within 6 hours of noticing / detecting such incidents or being brought to notice about such incidents. The incident shall also be reported to Indian Computer Emergency Response team (CERT-In) in accordance with the guidelines / directions issued by CERT-In from time to time. Additionally, the KRAs, whose systems have been identified as Protected system by National Critical Information Infrastructure Protection Centre (NCIIPC) shall also report the incident to NCIIPC. The quarterly reports containing information on cyber-attacks, threats, cyber- incidents and breaches experienced by KRAs and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs/ vulnerabilities/threats that may be useful for other KRAs shall be submitted to SEBI within 15 days from the quarter ended June, September, December and March of every year. The above information shall be shared through the dedicated e-mail id: [email protected]. The format for submitting the quarterly reports is attached as Annexure C. 52. Such details as are fel .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... / release No.): Last Patched/ Updated: Hardware Vendor/ Model: 4. Type of incident - __ Phishing __ Network scanning /Probing Break-in/Root Compromise __ Virus/Malicious Code __ Website Defacement __ System Misuse __ Spam __ Bot/Botnet __ Email Spoofing __ Denial of Service (DoS) __ Distributed Denial of Service(DDoS) __ User Account Compromise __ Website Intrusion __ Social Engineering __ Technical Vulnerability __ IP Spoofing __ Ransomware __ Other _____ 5. Description of incident - 6. Unusual behaviour/symptoms (Tick the symptoms) - __ System crashes __ New user accounts/ Accounting discrepancies __ Failed or successful social engineering attempts __ Unexplained, poor system performance __ Unaccounted for changes in the DNS tables, router rules, or firewall rules __ Unexplained elevation or use of privileges Operation of a program or sniffer device to capture network traffic; __ An indicated last time of usage of a user account that does not correspond to the actual last time of usage for that user __ A system alarm or similar indication from an intrusion detection tool __ Altered home pages, which are usually the intentional target for visibility, or other pages on the Web ser .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... IRSD/1/2015 dated 04- Mar-15 Saral Account Opening Form For Resident Individuals 14. CIR/MIRSD/29/2016 dated 22- Jan-16 Know Your Client Requirements - Clarification On Voluntary Adaptation of Aadhaar Based E-KYC Process 15. CIR/MIRSD/66/2016 dated 21- Jul-16 Operationalisation of Central KYC Records Registry (CKYCR) 16. CIR/MIRSD/120/2016 dated 10-Nov-16 Uploading of The Existing Clients' KYC Details With Central KYC Records Registry (CKYCR) System by The Registered Intermediaries 17. SEBI/HO/MIRSD/DOP/CIR/P /2019/111 dated 15-Oct-19 Cyber Security Cyber Resilience framework for KYC Registration Agencies 18. SEBI/HO/MIRSD/DOP/CIR/P/2 019/123 dated 05-Nov-19 E-KYC Authentication Facility Under Section 11A of The Prevention of Money Laundering Act, 2002 by Entities In The Securities Market For Residents Investor 19. SEBI/HO/MIRSD/DOP/CIR/P/2 020/73 dated 24-Apr-20 Clarification On Know Your Client (KYC) Process And Use of Technology For KYC 20. SEBI/HO/MIRSD/DOP/CIR/P/2 020/80 dated 12-May-20 Entities Permitted To Undertake E-KYC Aadhaar Authentication Service of UIDAI In Securities Market 21. SEBI/HO/MIRSD/DOP/CIR/P /2020/167 dated 08-Sep-20 Entities Permitted To Undertake E-KY .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X